There are a few common search strings that are used when configuring the ILST. Below are examples that can be used and cover most common situations. They can be combined to make more complex queries, if needed. 

Select all people in an OU

LDAP cannot make queries based on OU. Instead, identify the OU in your base DN

<SearchString>(&(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</SearchString
<BaseDN>OU = employees, OU=Users,DC=company,DC=com</BaseDN>

Select people in an AD Group

If you want to sync users that are members of an AD group, you can include a memberOf filter to your query string

<SearchString>(&(objectclass=user)(mail=*)(memberOf=cn=CaptainPlanet,ou=users,dc=company,dc=com)</SearchString>

Select people based on attributes

You can select people based off of attributes in AD just by using the attribute name. The following example finds all users that have "Manager" as their "Title" in AD.

<SearchString>(&(objectclass=user)(mail=*)(Title=Manager))</SearchString>

Exclude deactivated users

To exclude users that have been deactivated in your AD, include the following user account control filter to your search string. While this is not typically necessary, it is best practice to include it in all query strings to ensure deactivated people do not get included in any queries.

<SearchString>(&(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))</SearchString>